Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to chart over multiple fields?

mahesh27
Communicator
‎07-25-2023 10:44 AM

my query:

index=abd   ("start app"  AND  "app listed")  |rex field=_raw "APP:\s+(<application1>\S+)"
|rex field=_raw "LLA:\s+\[?<dip>[^\]]+)."
|dedup dip
|chart over application1
|appendcols
[|search index=abd ("POST /ui/logs" OR  "POST /ui/data" OR "POST /ui/vi/reg") AND  "state: complete"
 |rex field=_raw "APP:  (?<application2>\w+)"
|rex field=_raw "LLA:\s+\[?<dip>[^\]]+)."
|dedup dip
|chart over application2




i want output as shown below: HOW TO GET THIS??

application1 count application2 count
L1 10 L1 15
M2 20 M2 4
L3 45 L3 100
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-25-2023 11:01 AM

Hi @mahesh27 ,

have application1 and application2 the same values? and you want the count of each value in application1 and application2?

if yes, you could try something like this:

index=abd   ("start app"  AND  "app listed") OR (("POST /ui/logs" OR  "POST /ui/data" OR "POST /ui/vi/reg") "state: complete")
| rex field=_raw "APP:\s+(<application>\S+)"
| rex field=_raw "LLA:\s+\[?<dip>[^\]]+)."
| eval app=if(searchmatch("state: complete"),"application2","application1"
| chart 
   count(eval(app="application1")) AS application1
   count(eval(app="application2")) AS application2
   BY application

Ciao.

Giuseppe

0 Karma
Reply

mahesh27
Communicator
‎07-25-2023 11:17 AM

@gcusello , application 1 and application 2 has same application names but different counts, so i want to get the application names and count separately for each application.

i tried the query which you provided i am not getting any results.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-26-2023 08:40 AM

Hi @mahesh27 

with my solution, you have a different count for application1 and application2.

the issue should be on the regexes, could you share some samples from application1 and application2?

Ciao.

Giuseppe

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-25-2023 04:28 PM

Have you accounted for some syntax errors?  A valid search would look like

index=abd  ( ("start app"  AND  "app listed") OR ("POST /ui/logs" OR  "POST /ui/data" OR "POST /ui/vi/reg") AND "state: complete")
| rex field=_raw "APP:\s+(?<application>\S+)"
| rex field=_raw "LLA:\s+\[(?<dip>[^\]]+)."
| dedup dip
| eval app=if(searchmatch("state: complete"),"application2","application1")
| chart 
   count(eval(app="application1")) AS application1
   count(eval(app="application2")) AS application2
   BY application

If there is no output, it simply means that | rex field=_raw "APP:\s+(?<application>\S+)" (which @gcusello copied from your sample code) extracts nothing.  You need to examine your raw data and find out what is the correct regex.  Alternatively, you will need to post data samples to get help on regex.

Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
li.common.scroll-to.top